Help Possible Infection - Logs Inside

[PantherAKS]

I hope this is the right section for this, but I suspect my computer might have been infected with a rootkit after a recent browser takeover. When (full)scanning with MalwareBytes and Avast it BSOD after an hour or so. Spybot picked up a few problems and fixed them but MalwareBytes or Avast quick scans come out clean. Upon scanning with aswMBR two red lines appear(@12:47:57.777 and @12:47:57.792), here is the log:

aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-06-20 12:47:50
-----------------------------
12:47:50.527    OS Version: Windows x64 6.1.7600
12:47:50.527    Number of processors: 8 586 0x1A05
12:47:50.527    ComputerName: SPOONEDTODEATH  UserName: MagicMan
12:47:51.433    Initialize success
12:47:51.511    AVAST engine defs: 11061900
12:47:55.699    Disk 0  \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T1L0-c
12:47:55.699    Disk 0 Vendor: WDC_WD3200AAKS-22SBA0 12.01B01 Size: 305245MB BusType: 3
12:47:55.699    Disk 1 (boot) \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP5T1L0-a
12:47:55.699    Disk 1 Vendor: SAMSUNG_HD103UJ 1AA01118 Size: 953869MB BusType: 3
12:47:55.714    Disk 1 MBR read successfully
12:47:55.714    Disk 1 MBR scan
12:47:55.714    Disk 1 Windows 7 default MBR code
12:47:55.714    Service scanning
12:47:57.761    Disk 1 trace - called modules:
12:47:57.777    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xfffffa800b08c2c0]<<
12:47:57.777    1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0xfffffa800b5b1060]
12:47:57.792    3 CLASSPNP.SYS[fffff8800140143f] -> nt!IofCallDriver -> [0xfffffa800b232670]
12:47:57.792    5 ACPI.sys[fffff8800119b781] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP5T1L0-a[0xfffffa800b24b060]
12:47:57.792    \Driver\atapi[0xfffffa800b1d3920] -> IRP_MJ_CREATE -> 0xfffffa800b08c2c0
12:47:58.496    AVAST engine scan C:\Windows
12:51:58.121    Disk 1 MBR has been saved successfully to "C:\Users\MagicMan\Desktop\MBR.dat"
12:51:58.121    The log file has been saved successfully to "C:\Users\MagicMan\Desktop\aswMBR.txt"


Also I have yet to completely finish a full scan, either it will lock up the system or BSOD. Here is the BSOD info. ::EDIT:: I think it has something to do with the "AV engine" selection. If I select "none" the scan finishes immediately and posts the same results.

Problem signature
  Problem Event Name   BlueScreen
  OS Version   6.1.7600.2.0.0.768.3
  Locale ID   1033

Additional information about the problem
  BCCode   be
  BCP1   FFFFF88000EA30B0
  BCP2   8000000003CC6161
  BCP3   FFFFF8800DD8B300
  BCP4   000000000000000B
  OS Version   6_1_7600
  Service Pack   0_0
  Product   768_1

Files that help describe the problem
  CWindowsMinidump062011-24140-01.dmp
  CUsersMagicManAppDataLocalTempWER-42578-0.sysdata.xml

Read our privacy statement online
  httpgo.microsoft.comfwlinklinkid=104288&clcid=0x0409

If the online privacy statement is not available, please read our privacy statement offline
  CWindowssystem32en-USerofflps.txt



Thanks in advance. Any help is appreciated.
-Kevin

[DavidR]

Presumably you are also getting avast alerts on Malicious URLs ?

As this Unknown element has been associated by a rootkit and not specifically an MBR rootkit which aswMBR is looking for.

So you can try this tool that is looking more specifically at rootkits:

Second opinion now

Please read carefully and follow these steps. 

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
   
  
   
   
  
• If an infected file is detected, the default action will be Cure, click on Continue.
   
  
   
   
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
   
  
   
   
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
   
  
   
   
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

[PantherAKS]

Thank you for the quick reply, hopefully this new log will give you some useful information. If you need any other scans please let me know and I'll post them immediately. The scan found one locked object similar to the one in the example.

Again, many thanks,
-Kevin

TDSSKiller Log Attached (Could not paste, exceeds 1000 character limit)

(Please see next post for ANSI formatted log file)

[Pondus]

you need to save the log as ANSI as now it is just Chinese gibbely gobbel

[PantherAKS]

Sorry about that, here is the updated log saved in ANSI.

Thanks again.

[essexboy]

This could be Volsnap infection as that is TDSSKillers blind spot

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[PantherAKS]

Here is the ComboFix Log Report. Not sure if this was normal, but it restarted my computer and prepared the Log Report upon starting up. Also Windows wants to run a CHKDSK when it boots, should I let it?

Thanks again.

[essexboy]

Yes allow a checkdisc

Hmm not much showing there - what are your current symptoms ?

[PantherAKS]

- Allowed windows to run CHKDSK upon reboot, this time it worked for one of the drives. On the other drive (f:\) CHKDSK tries to repair the security descriptors but failes due to:

"Insufficient disk space to fix the security descriptors data stream"

While..

"Inserting an index entry with Id XXXX into index $SII of file 9"

Where XXXX is a number continually increasing. CHKDSK is still currently running switching between those two lines.

::EDIT::
CHKDSK finally finished and posted this:

Repairing the security file record segment.
161552 file SDs/SIDs processed
Security descriptor verification completed.
13101 data files processed.
CHKDSK is verifying Usn Journal...
Repairing usn journal $J data stream.
Usn journal verification completed.
Insufficient disk space to fix uppercase file.
CHKDSK aborted.

- Also I cannot start up into safe mode because the system also hangs up on classpnp.sys.

- Additionally I cannot complete a full system scan with either Avast or MalewareBytes without Windows crashing and BSOD'ing (see code in OP). I believe the original code was something like this (searched on my laptop to see what caused the BSOD)

Problem Event Name: BlueScreen
OS Version: 6.1.7600.2.0.0.768.3
Locale ID: 2057

Additional information about the problem:
BCCode: 9c
BCP1: 0000000000000000
BCP2: FFFFF8800318EC70
BCP3: 0000000000000000
BCP4: 0000000000000000
OS Version: 6_1_7600
Service Pack: 0_0
Product: 768_1

- Also I still need to install SP1 for Windows 7, which might help. Windows will say "Shutting Down" for a long time whereas before would shut down immediately, now have to manually turn off. About half the time Windows tries to start but never gets past the "Starting Window" screen (black with the Windows icon, and Copyright Microsoft Corporation). All these issues started with the browser takeover (could not close, infinite popups had to ctrl alt del and scan leading to BSOD's).

[essexboy]

Update to SP1 and on completion could you an OTS scan as below

 

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS  to your Desktop

• Close ALL OTHER PROGRAMS.
  
• Double-click on OTS.exe to start the program.
  
• Check the box that says Scan All Users
  
• Check the box that says 64 bit
  
• Under Additional Scans check the following:

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

• Under the Custom Scan box paste this in

%USERPROFILE%\..|smtmp;true;true;true /FP
%SYSTEMDRIVE%\*.exe
/md5start
classpnp.sys
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

Please attach the log in your next post.

[PantherAKS]

Updating to SP1 and removing that old hard drive seemed to fix all the issues. I can now complete full scans with Avast (boot scan) and MalwareBytes without any issues. All scans turned up clean and now the computer is functioning again as normal. Do you recommend still doing and OTS scan?

[essexboy]

If you are happy then no - I feel it was a problem with some system files being a bit corrupted

[PantherAKS]

Thank you all so much for your help. Both my wife and I appreciate it.